An update on creating self-signed certs.
On 12/20/2012 09:32 AM, Viktor Dukhovni wrote:
On Thu, Dec 20, 2012 at 02:15:35PM +0000, Viktor Dukhovni wrote:
People who want a more compact recipe for a self-signed cert on
a single SMTP server can use my "one-liner" (for machines whose
hostname is an FQDN):
$ tmp=$(mktemp smtpd.pem.XXXXXX) &&
openssl req -new \
-newkey rsa:1280 -keyout /dev/stdout \
-x509 -days $((365 * 10)) -subj "/CN=$(uname -n)" >> "$tmp" &&
mv "$tmp" smtpd.pem
With the "-nodes" option in most cases:
$ tmp=$(mktemp smtpd.pem.XXXXXX) &&
openssl req -new \
-newkey rsa:1280 -nodes -keyout /dev/stdout \
-x509 -days $((365 * 10)) -subj "/CN=$(uname -n)" >> "$tmp" &&
mv "$tmp" smtpd.pem
I was noticing an error in /var/log/httpd/ssl_error_log about the cert
having basicConstraints: CA=TRUE
So I worked this out on the OpenSSL list had learned that the -x509
option graps the v3_ca section out of the openssl.cnf. By adding:
-extensions v3_req
I get CA=FALSE, though it adds KU which is not a problem.
So either supply your own config file (which I don't like as it is more
work to go wrong) or use the v3-req extention.
Just learning more about this onion. Layer by layer.
